CVE-2022-27617

Improper limitation of a pathname to a restricted directory 'Path Traversal' vulnerability in webapi component in Synology Calendar before 2.3.4-0631 allows remote authenticated users to download arbitrary files via unspecified vectors...

CVE-2022-27616

Improper neutralization of special elements used in an OS command 'OS Command Injection' vulnerability in webapi component in Synology DiskStation Manager DSM before 7.0.1-42218-3 allows remote authenticated users to execute arbitrary commands via unspecified vectors...

Synology WebDAV Server 路径遍历漏洞

Synology WebDAV Server is an HTTP expansion service that allows users to edit and manage files stored on remote servers. A path traversal vulnerability exists in Synology WebDAV Server, which stems from an improper restriction of the pathname of a restricted directory by the webapi component, and...

Synology CardDAV Server SQL注入漏洞

Synology CardDAV Server is a contact management package from Synology China. It allows you to synchronize and access the address book on Synology NAS. A SQL injection vulnerability exists in Synology CardDAV Server versions prior to 6.0.10-0153, which stems from improper elimination of special...

PT-2022-18516 · Synology · Audio Station

Name of the Vulnerable Software and Affected Versions: Synology Audio Station versions prior to 6.5.4-3367 Description: The issue is related to an improper limitation of a pathname to a restricted directory, also known as a 'Path Traversal' vulnerability, in the webapi component. This allows remo...

CVE-2022-27610

Improper limitation of a pathname to a restricted directory 'Path Traversal' vulnerability in webapi component in Synology DiskStation Manager DSM before 6.2.3-25423 allows remote authenticated users to delete arbitrary files via unspecified vectors...

PT-2022-15632 · Synology · Synology Calendar

Name of the Vulnerable Software and Affected Versions: Synology Calendar versions prior to 2.3.4-0631 Description: A Cross-Site Request Forgery CSRF issue in the webapi component allows remote authenticated users to hijack the authentication of administrators via unspecified vectors. This could...

CVE-2022-27613

Improper neutralization of special elements used in an SQL command 'SQL Injection' vulnerability in webapi component in Synology CardDAV Server before 6.0.10-0153 allows remote authenticated users to inject SQL commands via unspecified vectors...

CVE-2021-36200

Under certain circumstances an unauthenticated user could access the the web API for Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11 versions prior to 11.0.2 and enumerate users...

CVE-2021-36200

Under certain circumstances an unauthenticated user could access the the web API for Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11 versions prior to 11.0.2 and enumerate users...

Code injection

Under certain circumstances an unauthenticated user could access the the web API for Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11 versions prior to 11.0.2 and enumerate users...

CVE-2021-36200

CVE-2021-36200 affects Johnson Controls Metasys ADS/ADX/OAS with MUI, specifically versions 10 and 11. The vulnerability is missing authentication for a critical function, allowing an unauthenticated user to access the Metasys web API and enumerate users. CVSS v3 base score is 5.3 (AV:N/AC:L/PR:N...

CVE-2021-36200 Metasys ADS/ADX/OAS with MUI

Under certain circumstances an unauthenticated user could access the the web API for Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11 versions prior to 11.0.2 and enumerate users...

CVE-2022-36305

Vesta v1.0.0-5 was discovered to contain a cross-site scripting XSS vulnerability via the body function at /web/api/v1/upload/UploadHandler.php...

Vesta Control Panel 跨站脚本漏洞

Vesta Control Panel VestaCP is an open source web hosting control panel. A security vulnerability exists in Vesta Control Panel version v1.0.0-5, which stems from the discovery that the post function via /web/api/v1/upload/UploadHandler.php contains a cross-site scripting XSS vulnerability...

CVE-2022-33138

A vulnerability has been identified in SIMATIC MV540 H All versions V3.3, SIMATIC MV540 S All versions V3.3, SIMATIC MV550 H All versions V3.3, SIMATIC MV550 S All versions V3.3, SIMATIC MV560 U All versions V3.3, SIMATIC MV560 X All versions V3.3. Affected devices do not perform authentication f...

CVE-2022-33138

A vulnerability has been identified in SIMATIC MV540 H All versions V3.3, SIMATIC MV540 S All versions V3.3, SIMATIC MV550 H All versions V3.3, SIMATIC MV550 S All versions V3.3, SIMATIC MV560 U All versions V3.3, SIMATIC MV560 X All versions V3.3. Affected devices do not perform authentication f...

CVE-2022-33138

A vulnerability has been identified in SIMATIC MV540 H All versions V3.3, SIMATIC MV540 S All versions V3.3, SIMATIC MV550 H All versions V3.3, SIMATIC MV550 S All versions V3.3, SIMATIC MV560 U All versions V3.3, SIMATIC MV560 X All versions V3.3. Affected devices do not perform authentication f...

Authentication flaw

A vulnerability has been identified in SIMATIC MV540 H All versions V3.3, SIMATIC MV540 S All versions V3.3, SIMATIC MV550 H All versions V3.3, SIMATIC MV550 S All versions V3.3, SIMATIC MV560 U All versions V3.3, SIMATIC MV560 X All versions V3.3. Affected devices do not perform authentication f...

CVE-2022-33138

CVE-2022-33138 affects Siemens SIMATIC MV500 family (MV540 H/S, MV550 H/S, MV560 U/X): all versions before v3.3. The root cause is missing authentication for several web API endpoints, enabling an unauthenticated remote attacker to read and download data from the device. Siemens-Mitigation: updat...